Man-in-the-browser

Man-in-the-browser (MITB, MitB, MIB, MiB), a form of Internet threat related to man-in-the-middle (MITM), is a proxy Trojan horse[1] that infects a web browser by taking advantage of vulnerabilities in browser security to modify web pages, modify transaction content or insert additional transactions, all in a completely covert fashion invisible to both the user and host web application. A MitB attack will be successful irrespective of whether security mechanisms such as SSL/PKI and/or two or three-factor Authentication solutions are in place. A MitB attack may be countered by utilising out-of-bandtransaction verification, although SMS verification can be defeated by man-in-the-mobile (MitMo) malware infection on the mobile phone. Trojans may be detected and removed by antivirus software[2] with a 23% success rate against Zeus in 2009,[3] and still low rates in 2011.[4] The 2011 report concluded that additional measures on top of antivirus were needed.[4] A related, more simple attack is the boy-in-the-browser (BitB, BITB). The majority of financial service professionals in a survey considered MitB to be the greatest threat to online banking.

The man-in-the-browser threat was demonstrated by Augusto Paes de Barros in his 2005 presentation about backdoor trends "The future of backdoors - worst of all worlds".[5] The name man-in-the-browser was coined by Philipp Gühring on 27 January 2007.[6]

In a nutshell example exchange between user and host, e.g. an Internet banking transaction such as a funds transfer, the customer will always be shown, via confirmation screens, the exact payment information as keyed into the browser. The bank, however, will receive a transaction with materially altered instructions, i.e. a different destination account number and possibly amount. The use of strong authentication tools simply creates an increased level of misplaced confidence on the part of both customer and bank that the transaction is secure. Authentication, by definition, is concerned with the validation of identity credentials. This should not be confused with transaction verification.

A theoretically effective method of combating any MitB attack is through an out-of-band (OOB) transaction verification process. This overcomes the MitB Trojan by verifying the transaction details, as received by the host (bank), to the user (customer) over a channel other than the browser; for example an automated telephone call, SMS, or a dedicated mobile app with graphical cryptogram.[25] OOB transaction verification is ideal for mass market use since it leverages devices already in the public domain (e.g. landline, mobile phone, etc.) and requires no additional hardware devices yet enables three-factor authentication (utilising voice biometrics), transaction signing (to non-repudiation level) and transaction verification. The downside is that the OOB transaction verification adds to the level of the end-user's frustration with more and slower steps.

ZitMo (Zeus-In-The-Mobile) is not a MitB Trojan itself (although it performs a similar proxy function on the incoming SMSes), but is mobile malware suggested for installation on a mobile phone by a Zeus infected computer. By intercepting all incoming SMSes, it defeats SMS-based banking OOB two-factor authentication on Windows Mobile, Android, Symbian, BlackBerry.[27] ZitMo may be detected by Antivirus running on the mobile device.

Known Trojans may be detected, blocked and removed by antivirus software.[2] In a 2009 study, the effectiveness of antivirus against Zeus was 23%,[3] and again low success rates were reported in a separate test in 2011.[4] The 2011 report concluded that additional measures on top of antivirus were needed.[4]

Secure Web Browser: Several vendors can now provide a two-factor security solution where a Secure Web Browser is part of the solution[citation needed]. In this case MitB attacks are avoided as the user executes a hardened browser from their two-factor security device rather than executing the "infected" browser from their own machine.

Browser security software: MitB attacks may be blocked by in-browser security software such as Trusteer Rapport for Microsoft Windows and Mac OS X which blocks the APIs from browser extensions and controls communication.[12][11][15]

A related attack that is simpler and quicker for malware authors to set up is termed boy-in-the-browser (BitB or BITB). Malware is used to change the client's computer network routing to perform a classic man-in-the-middle attack. Once the routing has been changed, the malware may completely remove itself, making detection more difficult.[citation needed]